Banking and finance dispute resolution
For the latest news and comment on banking and finance disputes.
For the latest news and comment on banking and finance disputes.
For all the latest news and comment in clinical negligence healthcare law
This collection looks at the latest news and comment on commercial contracting healthcare law. With the health and social care sector under…
For all the latest news and comment in employment and pensions healthcare law
For all the latest legal and regulatory news and comment in health technology
This collection contains DAC B eachcroft's latest report, The Route to Integrated Healthcare , which provides the first practical examples of how…
This collection looks at the latest strategic, commercial, regulatory and negligence legal and advisory news and comment in health and social care. …
For all the latest news and comment on employment and pensions law.
DAC Beachcroft Dublin specialises in insurance, professional indemnity, defendant personal injury, health, commercial litigation and employment work.…
For all the latest new and comment in tax law.
The GC Collective collection offers insight and comment for General Counsels (GCs) and in-house legal teams.
For the latest news and comment on Corporate, M&A and Equity Capital Markets.
Analysis, commentary and checklists on the legal and governance implications of Brexit on businesses operating in, and trading with, the UK
The Accountant's Liability Collection brings you topical news and insight of interest to accountants, actuaries, trustees and other financial…
Events and online training for the health and social care sector.
DAC Beachcroft's LatAm Quarterly Newsletter discusses topical news and issues in Latin America
In response to client suggestions and requests, DAC Beachcroft's insurance sector flagship publication.
For all the latest legal and regulatory news and comment in health and social care integration
For all the latest news and comment in corporate regulatory healthcare law
Find advice, commentary and thought leadership on all aspects of Director's & Officer's Insurance; from contract formation through to complex…
This collection looks at the latest news, comment and development on the law affecting mental health services. The law affecting mental health…
Our market-leading Information Law team regularly publish articles and updates addressing the ever-evolving Information Law landscape.
This collection looks at our Safety, Health and Environment Team and the products and services they can provide. In the climate of increased…
The Insurance Act 2015 comes into force in August 2016 and will represent a significant change to insurance contract law in this country. This…
Legislative changes are bringing major changes to the Insurance landscape. This collection houses DAC Beachcroft's alerts on the pertinent issues.
For all the latest news and comment in clinical regulatory healthcare law
Organisations face ever-increasing expectations from Government, regulators, customers or service users, and other stakeholders, so scrutiny and…
For all the latest legal and regulatory news and comment in healthcare estates and facilities management
This collection addresses the full spectrum of cyber security and data risk management – the zeitgeist of our age.
We have acted for clients in the majority of significant product liability cases that have been decided in the UK over the last 35 years. Our product…
Considering the future landscapes of our cities
The European General Data Protection Regulation (GDPR) came into force on 25 May 2016. A rewrite of European data protection law, the GDPR imposes…
Considering the future of housing
For the latest news and comment on public procurement law.
Welcome to the Construction Risks collection. This space is used to report upon issues of interest to those who seek to allocate, manage and reduce…
Technology, brands and intellectual capital are key assets for any successful business. Our intellectual property (IP) team are experts at helping…
Considering the future of retail
The Insurance Market Conditions and Trends report is DAC Beachcroft's insurance sector flagship publication. Now in its tenth year, the report…
The Solicitors' Risk Collection addresses issues and developments affecting legal practitioners, and the professional indemnity insurers of legal…
Published On: 19 April 2016
Following the recent decision by the Court of Justice of the European Union (the "CJEU") in Bara & Others (C-201/14) ("Bara"), the Office of the Data Protection Commissioner (the "ODPC") issued an updated guidance note on 5 February 2016 in respect of data sharing arrangements within the public sector (the "Guidance Note"). In essence, the ODPC reiterated the importance of public sector bodies informing data subjects, where applicable, that their personal data will be shared with other public sector bodies under a data sharing arrangement.
The Bara Decision
The case of Bara concerned the processing of personal income data of self-employed Romanian individuals. This data was transferred from the Romanian national tax administration agency to the Romanian national health insurance fund, resulting in individuals being pursued for the payment of arrears of contributions to the national health insurance regime. The individuals complained that their personal data was used, without their knowledge or consent and without being informed, for purposes other than that for which it had been provided to the tax authority.
The CJEU held that the requirement of fair processing of personal data requires a public sector body to inform data subjects of the fact that their data will be transferred to another public sector body for the purposes of processing by the latter agency. This ensures that the rights of the individual are protected as individuals will be aware of how their personal information is used, for what purpose and how the sharing of that information will impact upon them.
Criteria Required for Data Sharing Among Public Sector Bodies
In light of the Bara decision, and as outlined in more detail below, there is a general requirement for public sector bodies to provide an explicit legal basis for a data sharing arrangement. In addition, the ODPC recommends that a public body that engages in data sharing arrangements should, in advance of sharing personal data, inform all individuals whose personal data will be shared about the data sharing arrangement by outlining the information required to be provided under section 2(2D) of the Data Protection Acts 1988-2003 (the "Acts"). If a public sector body chooses not to inform individuals of the data sharing arrangement, that decision should be necessary and proportionate by showing, for example, that the release of this information would jeopardise the achievement of the data sharing objective. The Guidance Note recommends that all current and future data sharing arrangements in the public sector should consider and apply the following criteria:
It is important to remember that any public sector body that receives personal data from another public sector body is a data controller and must comply with the Acts.
The manner in which a public sector body decides to communicate to a data subject depends upon the factual scenario of each case. For example, where individuals are likely to expect their personal data to be shared with another public sector body, an information notice available on the webpage of the public sector body that collected the information from the data subject may be sufficient. However, some data sharing arrangements will require more active communication with the data subject. The ODPC sets out the following themes that agencies should consider when deciding the type of notice required:
(a) Is the public sector body sharing sensitive personal data? (b) Is the data sharing unexpected or objectionable? (c) Will the data sharing have a significant effect on the individual? (d) Is the data sharing widespread or involving entities which individuals might not expect? (e) Is the sharing being carried out for a range of different purposes? (f) Is the individual likely to suffer any detriment as a result of the data sharing arrangement?
If the answer is "yes" to any of the above questions, the ODPC strongly recommends that the public sector body that collected the data from the data subject considers actively communicating the detail of the data sharing arrangement to each individual.
Recommended next steps
In light of the Guidance Note, we recommend that all public sector bodies conduct a full review of their data sharing arrangements in order to ensure they adhere to the ODPC's recommendations. The following practical steps can be taken:
(a) Identify what the arrangement is meant to achieve; (b) Identify whether the objective could be achieved without sharing the data or by anonymising it; (c) Identify the minimum information required to achieve that purpose; (d) Identify any risks which the data sharing may pose; and (e) Identify when and how often the data should be shared.
Read the full Guidance Note here.
Submitted by Rowena McCormack, Associate and Charlotte Burke, Solicitor